Collect HPE iLO logs
This document explains how to ingest the HPE iLO (Hewlett Packard Enterprise Integrated Lights-Out) logs to Google Security Operations using Bindplane. The parser code first attempts to parse the raw log message as JSON. If that fails, it uses regular expressions ( grok
patterns) to extract fields from the message based on common HP iLO log formats.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance
- Windows 2016 or later or Linux host with systemd
- If running behind a proxy, firewall ports are open
- Privileged access to HPE iLO
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Windows installation
- Open the Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh
Additional installation resources
For additional installation options, consult the installation guide .
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
-
Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
-
Edit the
config.yamlfile as follows:receivers : udplog : # Replace the port and IP address as required listen_address : "0.0.0.0:514" exporters : chronicle/chronicle_w_labels : compression : gzip # Adjust the path to the credentials file you downloaded in Step 1 creds : '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id : < customer_id > endpoint : malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization ingestion_labels : log_type : HPE_ILO raw_log_field : body service : pipelines : logs/source0__chronicle_w_labels-0 : receivers : - udplog exporters : - chronicle/chronicle_w_labels -
Replace the port and IP address as required in your infrastructure.
-
Replace
<customer_id>with the actual customer ID. -
Update
/path/to/ingestion-authentication-file.jsonto the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart bindplane-agent -
To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Syslog in HP iLO
- Sign in to the HPE iLO web UI.
- Go to Management > Remote Syslogtab.
- Click EnableiLO Remote Syslog.
- Provide the following configuration details:
- Remote Syslog Port: Enter the Bindplane port number (for example,
514). - Remote Syslog Server: Enter the Bindplane IP address.
- Remote Syslog Port: Enter the Bindplane port number (for example,
- Click Send Test Syslogand validate it was received in Google SecOps.
- Click Apply.
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
data
|
This field is parsed and mapped to various UDM fields based on its content. | |
data.HOSTNAME
|
principal.hostname | Mapped when the first grok pattern in the "message" field matches, or when the "description" field contains "Host". Determines if event_type is STATUS_UPDATE. |
data.HOSTNAME
|
network.dns.questions.name | Populated by grok pattern matching "DATA" in "message". Used to populate dns.questions if not empty and doesn't contain "(?i)not found". |
data.HOSTNAME
|
target.user.user_display_name | Populated by grok pattern matching "DATA" in "message". |
data.IP
|
target.ip | Populated by grok patterns matching "IP" in "message" or "summary". |
data.WORD
|
metadata.product_event_type | Populated by grok pattern matching "WORD" in "message". |
data.GREEDYDATA
|
security_result.summary | Populated by grok pattern matching "GREEDYDATA" in "message". Used to determine network.application_protocol and event_type based on its content. |
data.TIMESTAMP_ISO8601
|
metadata.event_timestamp | Populated by the date plugin based on various timestamp formats. |
data.MONTHNUM
|
Not Mapped | |
data.MONTHDAY
|
Not Mapped | |
data.YEAR
|
Not Mapped | |
data.TIME
|
Not Mapped | |
data.HOST
|
principal.hostname | Mapped when the second grok pattern in the "message" field matches. |
data.INT
|
Not Mapped | |
data.UserAgent
|
network.http.user_agent | Mapped when the description
field contains User-Agent
. |
data.Connection
|
security_result.description | Mapped when the description
field contains Connection
. |
|
N/A
|
metadata.event_type | Defaults to GENERIC_EVENT
. Changes to STATUS_UPDATE
if data.HOSTNAME
is successfully mapped to principal.hostname, NETWORK_DNS
if question
is populated, or USER_LOGIN
if summary
contains Browser login
. |
|
N/A
|
metadata.vendor_name | Hardcoded to HP
. |
|
N/A
|
metadata.log_type | Set to HPE_ILO
. |
|
N/A
|
network.application_protocol | Set to LDAP
if summary
contains LDAP
, or DNS
if question
is populated. |
|
N/A
|
extensions.auth.type | Set to MACHINE
if summary
contains Browser login
. |
Need more help? Get answers from Community members and Google SecOps professionals.
